Jamf Nation Community

Ah ok. i thought you can provide the automatic installes create with Jamf without the DEP program. or is that not the best practice?

The Jamf client is required to be installed first on all non DEP Mac's.
Once that is done you can start creating policies and roll out configs.

Have you done the quickstart with Jamf already or are you looking into Jamf as an option? I suggest the 100 course, it's free and provides a lot of info on the basics of how to set it up and how it works.

https://www.jamf.com/training/100/

It's not so much that imaging is dead, as it is vastly easier to let Apple install the OS. We let Apple put the OS on, and then we use Jamf Imaging to image-in-place.

In our case we use DEP to enroll the machine in our Jamf system (out of the box, or after a clean OS install from Recovery), install a handful of apps (Bomgar, VPN, Jamf Imaging) and create a default local user account. Then we can log into the machine (remotely with Bomgar if need be) and use Jamf Imaging to deploy (aka image) the 30+GB of applications and settings we need on the boot drive of the machine (image in place). If it's remote from one of our distribution points (majority of the time) then we use a local external drive with a copy of our repository on it shipped to the users.

For the machines that aren't in DEP we, or a local user if remote, create our default user account from the normal Apple setup and we can install Jamf Imaging (or send the Bomgar installer to the remote user) and we 'image' like above.

With over 30GB of apps and settings that go on 99% of our machines leaving the user to do it from Self Service is a support nightmare waiting to happen, and "run on enrollment" isn't foolproof for that much stuff. But I know that most organizations install the basics, if that, or core apps, and let users install anything else they need/want from Self Service.

I use the Prestage enrollments with DEP for zero touch deployment. I have multiple PreStage enrollments for different needs that I just associate the serial number with after the device is in DEP. First thing that needs to happen is the user will need valid LDAP credentials from our institution. Without them the computer is unusable. So after they login with those credentials that will create the user account and is enrolled in JAMF Pro. At that point it becomes part of a smart group with no software on it. Then have a policy, associated with that smart group, that will run with all the packages, scripts and configs that I set. So I am at the point that I can just hand the end user the sealed computer if I want. I also have a prestage setup for stolen computers. I move the computer to that prestage and wipe it. The computer can not be used again without intervention from me.

@GreggPattison We are using a similar process, but do you have a way to force network connection during setup assistant? If a user skips network at that point in a zero-touch deployment, the prestage enrollment means nothing! I wish macOS required a network connection during setup like iOS...

@cboatwright is correct, until the DEP is truly enforced on macOS, it won't be the same thing as with iOS